DAC handles authentication and authorization over and above the Groups Hierarchy common in Active Directory. This is done through
Such handling of authentication and authorization is accomplished by the use of the following five components, which are –
Here is how it is done –
The File Classification Infrastructure (FCI) has been strengthened further by making it “claims aware”. With this step, the file’s own properties can be used as properties based on which it is classified. This helps in judging how well the user’s claims fit into the way claims are laid and are allowed on the resources (files). Conditional Access Control Entries are made use of for this purpose. The classification can be carried out manually by system administrators through the Windows Explorer. The use of FCI has also enabled –
A new feature called the Central Access Policies (CAP) allows you to control how the classified files are accessed. This feature allows users access to files only after they satisfy specific requirements which are set by the administrators and owners. This means you can control the way the classified files are accessed either through networked computers or other smart access devices, for example cards. This also means that intended users are quickly provided remediation whenever they face access-denied situations. This reduces the time and effort administrators have to spend on troubleshooting and providing access-denied assistance.
CAPs buttress the local access policy and the Discretionary Access Control Lists (DACLs) that may have been applied to files. This means, if there is a “deny” in the CAP but not in the ACL or the local access policy, the “deny” still takes precedence. To be accessible, the file must have been granted access at all levels. CAPs are built upon Access Control Entries (ACEs) that govern access to the data and the defined condition that determine which files fall under its scope.
With Central Access Policy (CAP) in place the file classification effort can be combined with Expression Based Access Control. Thus in any organization with structured and layered distribution of business critical data, applied access conditions will only permit those with division level and project level authorizations to access the data. The applied group policies control such access to the file servers.
The different steps involved in the controlling of access can be summed up as –
Such layered governance of access also allows checking and identification of any ill configured security settings. This is helpful in troubleshooting Access Denied problems as the InfoSec Manager has a clear view of “who has access to what files and according to which rules“.
An important advantage of such layering under the DAC is the reduction in the number of folders where the users have to be placed. For example; there is a user part of the Managers group and the Project Leaders group. If he was to be given access to the common files used by both the groups then previously he would also have to be placed in a third group (for example, Directors group containing both the groups) to give him access to the required files. At a later period if his permissions are changed, but were not removed from the Directors group, he still would be able to access the files. If the system administrator remains unaware of these changes and loop holes then it becomes a data security risk to the organization.
In such a situation, DAC proves extremely useful because the granting of access can be controlled by combining each individual condition. This can be represented as –
If <meet condition 1> and <meet condition 2> then action = “grant access”
With this, DAC will determine if the user is in the Managers group AND the Project Leaders group. If so the user is granted access, else he is denied access. This negates the need to create an additional group in the Active Directory. Thus DAC not only reduces the number of groups, but also the burden on the administration.
With better auditing policies in Windows Server 2012, you can carry out a forensic analysis of the number of attempts at accessing a protected file in the file server. The “grant’s” and “deny’s” you set under the Central Audit Policies help you determine who attempted to access a secured file and how many of these attempts were successful. The claims based authorization process allows smoother and better auditing through Global Object Access Auditing and Group Policies. This also allows for targeted monitoring (monitoring specific type of data) as well as compliance of files on the file server.
An advantage with such method of auditing is that the number of events to be monitored can be limited to only those necessary. And when tagged data is monitored with such auditing policies it allows for contextual reporting.
If there are adequate number of Windows Server 2012 and Windows Server 2008 domain controllers spread throughout your network, monitoring and authorizing requests to the Windows Server 2012 file servers, you can configure and enforce claims based auditing. This also means that the Windows Server 2012 has better Kerberos armoring, as the claims ride within an envelope of Kerberos Ticket and compound authentication. The Kerberos Key Distribution Center (KDC) has been enhanced to enable such authorizing and auditing.
The encryption applied to secured files is based on data classification. Files containing sensitive data can be encrypted automatically through Rights Management Service (RMS). The continuous file management tasks running in the background on servers can detect files marked sensitive and automatically start applying RMS protection. This means, even if the file is inadvertently moved or copied out of its circle of use, it will still be inaccessible to unintended users as they will have to get the authentication from the RMS server, which will then hand the decryption key. Without it, the file is locked and inaccessible.
Adoption of Dynamic Access Control and the subsequent implementation of Central Access Policies require sophisticated tools that help manage and control all aspects of DAC/CAP – especially tracking, reporting and applying central policies that provide advanced and more sophisticated control on NTFS permissions on folders and files.
Vyapin offers two proprietary solutions to audit and manage DAC / NTFS permissions on Windows servers. They are:
Here is a brief on both these products along with some representation of their auditing and permissions management capabilities.
This is a comprehensive NTFS permissions auditing solution that covers all aspects of Windows File Server audit like the permissions of users and groups on files, folders and shares. It provides useful insights on how the security of your Windows network is organized by providing you with a detailed report on the ACLs of shares, folders and files.
Here is a list of some of the benefits it offers.
Given below are some screenshots depicting various processes underway in the NTFS Security Auditor.
This is an NTFS permissions management solution that helps you improve the security of shares, folders and files on Windows servers and workstations. It helps you grant, revoke, modify and copy NTFS permissions according to the built-in rules for assigning permissions.
Here is a list of some of the benefit it offers.
Given below are some screenshots depicting various processes underway in the NTFS Security Manager.